No name, no email — and the technical signals we do collect, we treat as personal data.

A short, accurate, no-dark-patterns privacy notice. We do not claim to be "anonymous" or "PII-free" — under GDPR, the IP / user-agent / device-fingerprint signals we capture for assessment integrity count as pseudonymous personal data, and we treat them accordingly.

A one-paragraph summary

We do not collect your name, email or any contact details. We do record technical signals — your IP address, browser type and a device fingerprint — strictly to protect the integrity of the assessment (detecting tab-switching, session swaps and answer patterns that suggest the test is not being taken honestly). Under GDPR these signals count as pseudonymous personal data; we treat them as such, store them only for the audit window, never sell them, never share them with third parties and never use them for marketing. You can ask at any time what is stored under your access key, or request that we delete it.

Who runs this site

GripMinds is operated from the European Union. For any data-protection question you can write to us via the contact form — every email is answered by a human.

How identity actually works on this platform

We never ask for your name, your phone, your home address or an identity document, and we never store an email address. Every assessment is anchored to a random access token (a long, opaque string) generated when you start the test. Your answers, scores and report sit behind that token. The technical signals we record alongside (see the next section) are bound to the same token, not to a name — but because an IP address plus a browser fingerprint can, in principle, narrow down to a specific person, we treat the whole record as pseudonymous personal data under GDPR. If you want a copy of your report in your inbox, you send the access key to yourself from your own email client — your identity and your access key never meet on our side.

What we collect (the complete list)

For each test session we record: your answers, the timestamps of those answers and the language you took the test in. We also record technical signals strictly for assessment integrity — your IP address, your user-agent (the browser and OS string your device sends), a device fingerprint (a hash derived from rendering, fonts and other browser characteristics) and anti-cheat events (focus-loss, tab-switches, viewport size, copy/paste attempts, "WRONG"-button overuse and similar). These signals exist to let reviewers detect session hijacks (somebody else completing the test on your access key), tab-switching, and answer patterns that suggest the test is not being taken honestly — so the report we issue can actually be trusted. We do not use these signals for tracking, marketing or third-party sharing. Payment information is handled by our payment processor (Stripe) and we never see your card number — Stripe is the only party that links a payment to an email, on its side, under its own privacy policy.

What we do not collect

Your name. Your home address. Your phone number. Your date of birth. Your identity documents. Your photo. Your social-media handles. Your other test results. Your physical location beyond what an IP address roughly implies (which our payment processor also needs to invoice you). None of this is asked for, none of it is stored.

Legal basis under GDPR

The technical signals described above are processed on the basis of legitimate interest (Art. 6(1)(f) GDPR) — specifically, the integrity of an assessment whose value depends on it being taken honestly. Your test answers and report are processed on the basis of contract performance (Art. 6(1)(b)) — delivering the report you paid for. We have weighed these interests against your privacy rights and applied data minimisation, short retention windows and strict access controls.

Enterprise & coach plans — the self-hosted Token Manager

On the Enterprise/Coach plan, your organisation receives a separate, self-hosted application called the GripMinds Token Manager. It is installed inside your own infrastructure (your servers, your cloud account, your security perimeter). Inside the Token Manager — and only there — your team can issue access keys, link them to clients or employees, track who took which assessment and consolidate team-level views. We do not have access to that system, we do not have a copy of the name↔key mapping and we cannot see, query, export or hand over that data because we do not have it. If a regulator asks us who is behind a specific access key, the honest answer is "we do not know — ask the organisation that runs the Token Manager."

Analytics

We use a minimal Google Analytics 4 setup on the marketing pages (this site) to count page views and CTA clicks. It does not see your test answers or your report. You can opt out from the cookie banner; declining analytics has no effect on your ability to take the test or read your report.

Your GDPR rights

You can ask us, at any time, what data is stored under your access token, request a copy of it, request that we correct it, or request that we delete it. Because there is no profile of you outside that token, the practical effect is that providing your access key is the only way for us to find your record — without it, even our own admin team cannot locate the data behind it. Write to us via the contact form with the access key and we will respond within 30 days.

How long we keep your data

Test answers and the report are kept for up to 24 months behind your access key so you can re-download the report. The technical-integrity signals (IP, user-agent, fingerprint, anti-cheat events) are kept for the audit window — typically 12 months — and then deleted. Payment metadata is kept as long as required by EU accounting law (typically 10 years for invoices). The Token Manager on the Enterprise plan has its own retention policy, set by your organisation, not by us.

Cookies

See the dedicated cookies page. There are exactly three cookies: one for your consent choice, one for your language preference, and one for analytics (which you can decline).

Continue reading